160 lines
22 KiB
Markdown
160 lines
22 KiB
Markdown
Title: I traced the global age verification lobby across 470 sources. The same people write the laws, set the standards, run the certification, and sell the tools. Here is what I found.
|
|
|
|
This is a summary of a **16-file open source investigation** into age verification laws being passed worldwide. Every claim links to a public source. The full investigation, with **470 sources** across government databases, court records, corporate registries, legislative records, and investigative journalism, is published at https://tboteproject.com/findings/
|
|
|
|
I am not claiming child exploitation is fake. It is real. I am not claiming the people involved have evil intentions. Many sincerely believe they are protecting children. What the investigation documents is that the system being built to protect children **doubles as mass surveillance infrastructure**, shaped by people with financial and political conflicts of interest, and no democratic process in any affected country has considered these connections because no one had mapped them before.
|
|
|
|
**The children are real. The exploitation is real. The protection is not what it appears to be.**
|
|
|
|
---
|
|
|
|
# One person wrote the template
|
|
|
|
A British filmmaker turned baroness named **Beeban Kidron** wrote the UK's Age Appropriate Design Code. Her foundation, **5Rights**, then got it copied into California law. A US government FARA filing confirmed that her UK-based foundation directly lobbied California legislators, wrote materials for elected officials, and negotiated bill language. [FARA filing](https://efile.fara.gov/docs/7427-Short-Form-20240627-4.pdf). 5Rights hired the former chief consultant to the California committee considering the bill.
|
|
|
|
Her foundation then spent three years campaigning to pass a similar law in Brazil. The same template is being pushed in Australia, the EU, Indonesia, Canada, and other countries.
|
|
|
|
Kidron also co-led the technical standard (**IEEE 2089.1**) that age verification companies must meet. The person running the certification program for that standard simultaneously heads the age verification industry trade group, the **AVPA**. So the same network writes the law, writes the standard, runs the certification, and sells the compliance tools.
|
|
|
|
> "Consultation is the playground of the tech lobbyist and inaction is the most powerful tool in politics." - Baroness Kidron, House of Lords debate, January 21, 2026
|
|
|
|
2022 was the global inflection point. In one calendar year, the EU signed the Digital Services Act, the UK introduced the Online Safety Bill, the US Senate received KOSA, Brazil introduced PL 2628, California signed the AADC, Louisiana passed the first US state age verification law, and the EU unveiled Chat Control. **Thorn** (Ashton Kutcher's organization) spent **$630K+** lobbying the EU for Chat Control while its CEO sat on WeProtect's board and its own technology could enforce the laws it lobbied for. By 2026, Australia, France, Malaysia, Indonesia, Italy, and multiple US states had followed.
|
|
|
|
**The same organizations appear across every jurisdiction.**
|
|
|
|
# The same funders pay for all of it
|
|
|
|
**Pierre Omidyar** (eBay founder) funds advocacy groups pushing these laws in both the US and Brazil simultaneously. His Luminate arm gave **$500K** to Data Privacy Brasil. His Imaginable Futures arm partners with Instituto Alana. Omidyar Network itself funds **Common Sense Media**, the primary US organization behind KOSA.
|
|
|
|
In Brazil, two branches of one banking family (the **Itau/Setubal dynasty**, controlling Latin America's largest bank) fund different advocacy groups that all pushed for the same law. **Ana Lucia Villela** (Itau board member, ~$1.5B net worth) founded Instituto Alana and its US arm ($8.15M in grants in 2022). **Jose Luiz Setubal** (Itau heir) founded Fundacao JLES, which directly funds the child protection coalition.
|
|
|
|
**Oak Foundation** (Switzerland) funds 5Rights, ECPAT, SaferNet Brasil, and sits on the board of WeProtect, a 100-country alliance pushing the same agenda.
|
|
|
|
# What happened in Brazil
|
|
|
|
Brazil passed its age verification law (the **Digital ECA**, Lei 15.211/2025) in September 2025. It took effect March 17, 2026. The law requires not just websites but **phone operating systems** (Android, iOS, Windows, Linux) to verify your age. Linux distributions including Arch Linux 32 and MidnightBSD began **geoblocking Brazil** because volunteer projects without legal representation cannot comply. Both blocks remain in place as of this writing. [Source](https://linuxiac.com/linux-distributions-begin-blocking-brazil-access-over-new-digital-law/)
|
|
|
|
The lawmaker who shaped the final text was **Jadyel Alencar**, the official rapporteur. He has a **criminal conviction** for receiving stolen medical supplies (upheld by the TRF1 appeals court). He is a defendant in an active fraud case involving **R$48 million** in suspected money laundering during COVID. His company raised mask prices from R$11 to R$189 during the pandemic. He declared R$107.5 million in personal assets but had a **court order for prison** because he failed to pay R$6,306.48 in child support. He has **93 judicial processes** on record. [Conviction](https://www.portalaz.com.br/colunas/39/direto-da-redacao/56923/jadyel-alencar-sofre-derrota-no-trf1-ja-ha-maioria-para-confirmar-con/) | [Child support arrest](https://cidadeverde.com/noticias/404893/juiz-decreta-prisao-de-jadyel-da-jupi-por-divida-de-pensao-a-filhos-menores-deputado-nega)
|
|
|
|
**The rapporteur of Brazil's child protection law had a prison order for failing to support his own children.** No media outlet questioned his designation.
|
|
|
|
# Meta's ghost-authored amendments
|
|
|
|
Meta (Facebook/Instagram) had a lobbyist who secretly wrote amendments to weaken the bill. These amendments were filed under a different politician's name, **Fernando Maximo**. The secret authorship was discovered because **the lobbyist forgot to remove his name from the document metadata**. [Intercept Brasil](https://www.intercept.com.br/2025/08/14/deputado-bolsonarista-emenda-lobista-meta-lei-criancas-internet/)
|
|
|
|
One amendment eliminated content moderation reporting obligations. The other removed fines and criminal sanctions. Maximo is under Federal Police investigation for **R$3.2 million** in ambulance fraud with R$30M+ in shell company bank movements. He is currently leading Senate polls at 46.1%. The attorney general's office has been completely silent on the ghost-authorship complaint for **seven months**.
|
|
|
|
The investigation cross-referenced five separate news reports and found that **every single politician Meta was documented meeting on the day the law was voted** is either under criminal investigation or has been convicted. One was indicted for embezzlement through a fake charity that listed a baby as a board member. Another had R$469,700 in cash seized by police, then backdated a property sale to explain it. [Gayer indictment](https://www.cnnbrasil.com.br/politica/pf-indicia-deputado-gustavo-gayer-por-desvio-de-cota-parlamentar/) | [Cavalcante cash](https://www.cnnbrasil.com.br/politica/entenda-operacao-da-pf-contra-sostenes-e-jordy-sobre-desvio-de-cotas/)
|
|
|
|
Alencar removed the **duty of care** from the bill, its strongest structural obligation, at the request of Meta and Google. His substitute text was entered into the system **47 seconds before the session opened**.
|
|
|
|
Meta also manufactured a fake document claiming that a different regulation bill (PL 2630) would ban Bible passages. Three internal Meta sources confirmed this to Agencia Publica. The document was delivered on paper "to leave no traces." A trade group whose members include Meta publicly took the blame after exposure. **The entire Evangelical Caucus mobilized** against the bill, which was pulled from the agenda. [Source](https://apublica.org/2025/09/how-big-tech-killed-brazils-fake-news-bill/)
|
|
|
|
# The revolving door to the Finance Ministry
|
|
|
|
Five days before this investigation was compiled, Brazil's president appointed **Dario Durigan** as Finance Minister. Durigan ran WhatsApp's public policy division (a Meta subsidiary) from 2020 to 2023. He moved into the Finance Ministry in 2023 as Executive Secretary. He was named minister on **March 19, 2026**.
|
|
|
|
The Finance Ministry oversees SECOM advertising budgets, tax policy for tech companies, and the SPA that signed a cooperation agreement with Conselho Digital (the tech lobby group). SECOM spent **R$35.8 million** on Meta platforms in 2025. R$129.6 million on internet advertising total, a national record. [Appointment](https://www.otempo.com.br/politica/governo/2026/3/20/saiba-quem-e-dario-durigan-nomeado-como-novo-ministro-da-fazenda-do-governo-lula)
|
|
|
|
**A former Meta executive controls the ministry that pays Meta tens of millions** in advertising while overseeing the regulatory framework for Meta's industry.
|
|
|
|
**Conselho Digital**, the lobbying vehicle for Google, Meta, Amazon, TikTok, Discord, and others, has **R$0 in declared capital**, a single registered officer, and publishes no financial statements. No audit exists. No lawmaker has requested transparency. Brazil has no lobbying disclosure law.
|
|
|
|
# Who actually checks your age
|
|
|
|
Private companies verify your identity under these laws. Not the government. Several of these companies have troubling backgrounds.
|
|
|
|
**Persona**, backed by billionaire Peter Thiel's Founders Fund and valued at $2 billion, was caught running **269 separate surveillance checks** on every person it verifies. These checks include scanning faces against government watchlists, screening for "adverse media" in 14 categories, and filing automatic reports with US and Canadian financial intelligence agencies. Internal project codenames: **"Project SHADOW"** and **"Project LEGION."** Persona has a direct partnership with Serpro, Brazil's government data processing service. [Persona exposure](https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/) | [Persona-Serpro partnership](https://www.prnewswire.com/news-releases/persona-partners-with-serpro-to-combat-identity-fraud-in-brazil-301628227.html)
|
|
|
|
**AU10TIX** handles identity verification for X (Twitter), TikTok, and Uber. It was founded by veterans of Israel's internal security agency, **Shin Bet**. Confirmed **Unit 8200** staff are on payroll. The company suffered an **18-month data breach** where admin credentials were posted publicly on Telegram and still worked when researchers tested them months later. [AU10TIX breach](https://www.malwarebytes.com/blog/news/2024/06/driving-licences-and-other-official-documents-leaked-by-authentication-service-used-by-uber-tiktok-x-and-more) | [Intel links](https://stateofsurveillance.org/articles/corporate/au10tix-x-verification-israeli-intelligence-2025/)
|
|
|
|
Meta uses **Yoti** for Instagram age verification. Yoti is certified under the IEEE standard that Kidron co-led. Yoti's revenue grew **62% in 2025**, driven significantly by the Instagram contract. The money flows from the law Kidron wrote, through the standard she co-chairs, to the company certified under that standard, paid for by Meta.
|
|
|
|
# Where does your data go
|
|
|
|
In Brazil, verification data flows through **Serpro**, a government data processor holding biometric records on **85 million citizens**. Serpro keeps query logs showing which company checked which citizen's identity and when. Once the Digital ECA drives mass verification, Serpro will hold a map of which citizens use which services.
|
|
|
|
Brazil's intelligence agency (**ABIN**) previously requested access to **76 million citizens' records** through Serpro. [Source](https://www.intercept.com.br/2020/06/06/abin-carteira-motorista-serpro-vigilancia/). The federal highway police bought a copy of the entire **80-million-person biometric database** for R$205,722.80 without publishing the purchase in any transparency portal. [Source](https://www.intercept.com.br/2023/05/02/prf-desrespeita-lei-e-compra-copia-da-base-de-dados-biometricos-de-todos-os-motoristas-com-cnh-no-brasil/). In February 2026, a Serpro employee was caught accessing **Supreme Court justices' tax records**.
|
|
|
|
Serpro's "sovereign cloud" runs on **Amazon Web Services** hardware. The deal was arranged by an AWS executive named **Sean Roche**, who previously served as **vice-director of the CIA's technology division**. The US CLOUD Act allows American courts to compel any US company to hand over data stored anywhere in the world. [CIA-AWS-Serpro connection](https://capitaldigital.com.br/serpro-discute-nuvem-soberana-com-ex-diretor-da-cia-atual-executivo-da-aws/)
|
|
|
|
ANPD itself found that Serpro's Datavalid service operates **without full legal basis** under Brazil's data protection law (LGPD). The case challenging Datavalid has been pending at the TCU for **six years**.
|
|
|
|
# The UK dimension: VPN bans and device scanning
|
|
|
|
On January 21, 2026, the UK House of Lords passed **Amendment 92** in the Children's Wellbeing and Schools Bill by **207 to 159**. The amendment, authored by **Lord Nash** (Conservative venture capitalist linked to **GBP 3.8 billion** in government contracts through 75 company interests), would ban VPN services for anyone under 18 in the UK. The only way to verify that a user is not a minor is to verify everyone.
|
|
|
|
**Amendment 93** (withdrawn but still alive) would require **"tamper-proof system software"** on all smartphones and tablets that scans for child abuse material in real time, covering recording, transmitting including livestreaming, and viewing. This goes further than Apple's abandoned NeuralHash system, which only covered iCloud uploads before Apple killed it in 2022 after nearly 100 rights groups objected. Germany's equivalent device scanning system showed a **48.3% false positive rate**.
|
|
|
|
Signal President **Meredith Whittaker** said Signal "would absolutely, 100% walk" from the UK rather than implement scanning. WhatsApp threatened to pull the app.
|
|
|
|
The House of Commons rejected the Lords VPN ban on March 9, 2026, **307 to 173**. But they replaced it with "amendments in lieu" granting the Secretary of State broad discretionary powers to restrict VPNs, ban social media for certain ages, and modify GDPR provisions **without new legislation**. Open Rights Group warned that these powers are potentially more dangerous because they bypass parliamentary debate. ORG titled their response **"MPs give ministers powers to restrict entire Internet."** [ORG](https://www.openrightsgroup.org/press-releases/mps-give-ministers-powers-to-restrict-entire-internet/)
|
|
|
|
VPN usage surged **1,400%** in the UK following these debates. Brazil saw a **250% surge** when the Digital ECA took effect. A protest Linux distribution called **"Ageless Linux"** was launched.
|
|
|
|
France's digital affairs minister declared **"VPNs are next on my list."** The EU flagged VPNs for regulatory attention. Michigan proposed ISP-level VPN blocking with $500K fines.
|
|
|
|
# The financial layer
|
|
|
|
**Barclays**, one of the UK's largest banks, holds approximately **$2 billion in Palantir shares**. Peter Thiel co-founded Palantir with CIA venture capital money. Palantir was just awarded a trial contract to process data for the **UK Financial Conduct Authority**, the regulator that oversees Barclays. A bank holds shares in the company processing its own regulator's data. [Palantir FCA contract](https://www.theregister.com/2026/03/23/palantir_fca/) | [Barclays Palantir shares](https://www.thenerve.news/p/palantir-uk-companies-investment-pension-fund-billions-legal-general-barclays-aviva-peter-thiel)
|
|
|
|
**Thiel is the connective tissue.** He co-founded Palantir (surveillance). His Founders Fund backed Persona (age verification, 269 checks per user). He sat on Meta's board from 2005 to 2022.
|
|
|
|
**UNICEF** hosts the main global fund pushing these laws (**$83 million+**). UNICEF lobbied Brazil to pass the Digital ECA. But UNICEF's own December 2025 policy paper states that **"age estimation measures using biometric data pose an unacceptable risk and should not be used."** The organization that lobbied for the law says the methods the law requires are unacceptably risky. [UNICEF lobbying](https://www.unicef.org/brazil/comunicados-de-imprensa/unicef-pede-urgencia-na-aprovacao-do-projeto-de-lei-de-protecao-de-criancas) | [UNICEF warning](https://www.unicef.org/documents/policy-note-drawing-line-digital-spaces)
|
|
|
|
# What Meta actually wants
|
|
|
|
Meta trial documents from February 2026 reveal internal communications. A 2018 document: **"If we wanna win big with teens, we must bring them in as tweens."** Approximately **4 million children under 13** were on the platform. **216 million users** had an "unknown" age. Nick Clegg described age restrictions as "practically impossible to enforce" in an internal email. [Trial](https://www.cnn.com/2026/02/18/tech/meta-mark-zuckerberg-testifies-social-media-addiction-trial)
|
|
|
|
Meta spent **$26.3 million** on US federal lobbying in 2025 pushing for age verification laws that require phone operating systems to check ages, not Meta's platforms. Meta funds the child safety groups that advocate for these laws (through the Tech Coalition) while also funding **NetChoice**, which sues to block the same laws in at least **27 US states**. NetChoice revenue grew from **$3M to $34M** since 2020. [Lobbying spend](https://www.opensecrets.org/federal-lobbying/clients/summary?id=D000033563) | [Two Faces of Big Tech](https://accountabletech.org/research/the-two-faces-of-big-tech/)
|
|
|
|
CNBC and US News (March 2026) reported that tech companies "tacitly supported age verification as a less threatening alternative" to algorithmic regulation. The reporting described this as **"regulatory capture disguised as compromise."**
|
|
|
|
# The pattern
|
|
|
|
The investigation maps one architecture operating across jurisdictions.
|
|
|
|
One foundation writes the laws and co-chairs the technical standard. A trade body head chairs the certification. Verification companies sell compliance. Government data brokers retain query logs. Intelligence agencies have documented access to those brokers. The cloud infrastructure is subject to the CLOUD Act. Philanthropic funders pay for advocacy in multiple countries simultaneously. **No transparency mechanism in any country captures any of these flows.**
|
|
|
|
The law creates the identity requirement. VPN restrictions close the last circumvention path. **The same companies that verify ages on platforms would verify ages for VPN access.**
|
|
|
|
# A note on Reddit suppression
|
|
|
|
Earlier versions of this investigation were posted to r/linux by u/Ok_Lingonberry3296. The original post ("I traced $2 billion in nonprofit grants and 45 states of lobbying records to figure out who's behind the age verification bills") reached **14,289 points** with a **99% upvote ratio**. It survived after a temporary automod removal.
|
|
|
|
Every follow-up post was killed. The UPDATE post linking to tboteproject.com hit **505 points with a 98% upvote ratio** before mass reports triggered automod removal. Mods were notified. They never restored it. A post documenting Amutable's German Handelsregister corporate filings was removed the same way. Cross-posts to r/privacy and r/opensource were manually removed by moderators. The poster was **banned from r/opensource**.
|
|
|
|
The stickied replacement post was written by u/Quiet-Owl9220, a **4-month-old account** with zero r/linux comment history. Their activity is almost entirely in r/AustralianPolitics. How a 4-month-old Australian politics account became a moderator of a **1M+ subscriber** Linux subreddit is unexplained. Their post was also automod-removed but was restored and pinned. Investigation posts by regular users were left dead.
|
|
|
|
The pattern is clear. General discussion about age verification survives on r/linux. Posts containing **primary-source evidence** (IRS filings, Handelsregister documents, lobbying records, corporate affiliation maps, funding flows) get mass-reported and left removed. **Facts are suppressed. Opinions are permitted.**
|
|
|
|
PullPush archive searches return **zero results** for "birthDate," "amutable," and "tboteproject" across all of Reddit. The topic has been effectively memory-holed from Reddit's archival infrastructure.
|
|
|
|
Community members noticed. Users described "malicious mass reporting" and asked why mods were "censoring" the posts. Lunduke covered the censorship on his Substack. Level1Techs covered it on their forum. The suppression became a story in itself.
|
|
|
|
**I am posting this knowing the same thing will likely happen again.** If this post disappears, the full investigation is permanently published outside Reddit at the links below.
|
|
|
|
---
|
|
|
|
**The full investigation** (16 files, 470 sources, all public records) is published at:
|
|
https://tboteproject.com/findings/
|
|
|
|
**Source repository:**
|
|
https://tboteproject.com/git/hekate/surveillance-findings
|
|
|
|
**Reddit suppression documentation:**
|
|
https://tboteproject.com/git/hekate/reddit-findings
|
|
|
|
---
|
|
|
|
This investigation was compiled on March 24, 2026. If you want to verify any claim, every source link is in the published files. Read the sources yourself. Draw your own conclusions.
|
|
|
|
# Supporting this work
|
|
|
|
TBOTE has future projects planned that go deeper than what we have published so far. Mirrors, protest-ware, guides, new websites and applications for the community. All of it runs on infrastructure that costs money and cannot be funded through conventional channels.
|
|
|
|
Future servers and projects require privacy-respecting providers that accept cryptocurrency and do not require personal information. Providers in separate jurisdictions, VPNs, various tools, and disposable research infrastructure add up. Contributors to this project also maintain personal security measures: hardware security keys, burner devices for research, VPN subscriptions, encrypted communication tools, and in most cases physical security equipment. These are not optional expenses when investigating organizations with the resources to identify and retaliate against researchers.
|
|
|
|
**Every dollar goes directly to keeping the infrastructure online and the people behind it safe.** We do not run ads, collect data, or accept sponsorship from any organization we might investigate.
|
|
|
|
A Monero address to donate to can be found at https://tboteproject.com/donate/
|